sysadmin/packet_capture.cpp at master · hannes427/sysadmin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
#include <iostream>
#include <fstream>
#include <regex>
#include <filesystem>
#include <boost/program_options.hpp>
#include <signal.h>

const std::string MODULE = "packetcapture";

int startcapture (int argc, char **argv) {
   /* Not full implemented yet
    if(!check_auth(MODULE)) {
         std::cerr<<std::endl<<"Error! Authentication failed! Did you run this program from the command line?"<<std::endl<<std::endl;
         return 1;
    }*/
    int current_uid = getuid();
    std::string arguments = "-Z root -U -n -e -tttt";
    std::string filter_on = "";
    bool filter = false;
    try {
        boost::program_options::options_description desc{"Options"};
        desc.add_options()
        ("help,h", "Help screen")
        ("count-bytes,c", boost::program_options::value<std::string>(), "Exit after receiving <arg> packets")
        ("maxsize,C", boost::program_options::value<std::string>(), "Maximum size of dump-file. If filesize is larger, a new file is created.")
        ("interface,i", boost::program_options::value<std::string>(), "Interface to listen on")
        ("maxfilecount,W", boost::program_options::value<std::string>(), "Filecount (in conjunction with the -C option")
        ("ip_version", boost::program_options::value<std::string>(), "Filter on IP version (ip or ip6)")
        ("protocol", boost::program_options::value<std::string>(), "Filter on protocol (tcp, udp, icmp, arp)")
        ("host_address", boost::program_options::value<std::string>(), "Filter on Host (source and destination)")
        ("port", boost::program_options::value<std::string>(), "Filter on port e.g. '80' or '80-85' ")
        ("path", boost::program_options::value<std::string>(), "Path to the dump-file");

        boost::program_options::variables_map vm;
        store(parse_command_line(argc, argv, desc), vm);

        if (vm.count("help")) {
            std::cout << desc << '\n';
            return 0;
        }

        notify(vm);

        if (vm.count("count-bytes")) {
            arguments = arguments+" -c "+vm["count-bytes"].as<std::string>();
        }
        if (vm.count("maxsize")) {
            arguments = arguments+" -C "+vm["maxsize"].as<std::string>();
        }
        if (vm.count("interface")) {
            arguments = arguments+" -i "+vm["interface"].as<std::string>();
        }
        if (vm.count("maxfilecount")) {
            arguments = arguments+" -W "+vm["maxfilecount"].as<std::string>();
        }
        if (vm.count("ip_version")) {
            if(filter == true) {
                filter_on = filter_on+" and "+vm["ip_version"].as<std::string>();
            }
            else {
                filter_on = filter_on+" "+vm["ip_version"].as<std::string>();
                filter = true;
            }
        }
        if (vm.count("protocol")) {
            if(filter == true) {
                filter_on = filter_on+" and "+vm["protocol"].as<std::string>();
            }
            else {
                filter_on = filter_on+" "+vm["protocol"].as<std::string>();
                filter = true;
            }
        }
        if (vm.count("host_address")) {
            if(filter == true) {
                filter_on = filter_on+" and host "+vm["host_address"].as<std::string>();
            }
            else {
                filter_on = filter_on+" host "+vm["host_address"].as<std::string>();
                filter = true;
            }
        }
        if (vm.count("port")) {
            if(filter == true) {
				if (vm["port"].as<std::string>().find("-")) { //port range was given
					filter_on = filter_on+" and portrange "+vm["port"].as<std::string>();
				}
				else {
					filter_on = filter_on+" and port "+vm["port"].as<std::string>();
				}
            }
            else {
				if (vm["port"].as<std::string>().find("-")) { //port range was given
					filter_on = filter_on+" portrange "+vm["port"].as<std::string>();
				}
				else {
					filter_on = filter_on+" port "+vm["port"].as<std::string>();
				}
                filter = true;
            }
        }
        if (vm.count("path")) {
            arguments = arguments+" -w "+vm["path"].as<std::string>()+"/dump.pcap";
        }
    }
    catch (const boost::program_options::error &ex) {
        std::cerr << ex.what() << '\n';
    }
    std::string tcpdump = std::string("/usr/bin/tcpdump")+" "+arguments+" "+filter_on+" > /dev/null 2>&1&";
    if (setuid(0)) { //I am now root!
        perror("setuid");
        return 1;
    }
    std::system(tcpdump.c_str());
    setuid(current_uid); //return to previous user
    return 0;
}
int stopcapture (int pid) {
    std::regex processPattern(R"(^\/usr\/bin\/tcpdump)");
    std::string line;
    //Check if PID is a valid tcpdump process
     std::ifstream process;
     if (!std::filesystem::exists("/proc/"+std::to_string(pid)+"/cmdline")) {
          std::cerr<<std::endl<<"Error! Could not open process file! Is "<<pid<<" a valid PID?"<<std::endl<<std::endl;
          return 1;
     }
     process.open("/proc/"+std::to_string(pid)+"/cmdline");
     while(getline(process, line)) {
        std::smatch match;
        if (std::regex_search(line, match, processPattern)) { // PID is a valid tcpdump process
             kill(pid, SIGTERM);
        }
        else { //PID is not a tcpdump PID, possible misusage
            std::cerr<<std::endl<<"Error! PID " <<pid<<" is not a valid PID!"<<std::endl<<std::endl;
            return 1;
        }
     }
    return 0;
}
int main (int argc, char **argv) {
    if (argc < 2) {
        std::cerr<<std::endl<<"Error! Usage: "<<argv[0]<<" startcapture || stopcapture"<<std::endl<<std::endl;
        return 1;
    }
    else if(argv[1] == std::string("stopcapture") && argc < 3) {
        std::cerr<<std::endl<<"Error! Usage: "<<argv[0]<<" stopcapture PID"<<std::endl<<std::endl;
        return 1;
    }
    else if(argv[1] == std::string("deletecapture") && argc < 4) {
        std::cerr<<std::endl<<"Error! Usage: "<<argv[0]<<" deletecapture PID PATH"<<std::endl<<std::endl;
        return 1;
    }
    if (argv[1] == std::string("startcapture")) {
        startcapture(argc, argv);
    }
    else if (argv[1] == std::string("stopcapture")) {
        int pid = atoi(argv[2]);
        stopcapture(pid);
    }
    else if (argv[1] == std::string("deletecapture")) {
        int pid = atoi(argv[2]);
        if (pid != -1) {
             stopcapture(pid);
        }
        std::string path = std::string(argv[3]);
        std::filesystem::remove_all(path);
    }

    return 0;
}